How UK banks contain threats from cybercriminals

Many cyber-thieves target bank and business networks in a bid to steal data and cash

The UK's banks are regularly being caught out by cybercriminals, BBC research suggests.

Data from three sources indicates that spam, viruses and other malicious messages regularly emerge from machines sitting on banks' corporate networks.

It is likely that the computers were compromised when bank staff and contractors were caught out by booby-trapped email attachments.

They may also have visited sites seeded with code that infected their PCs.

Some of those infected machines are also likely to have been enrolled in a botnet - a large network of hijacked computers that are used by cybercriminals to distribute spam and viruses, attack other websites or as a source of saleable personal data.

But, say experts, banks are doing a better job than most at protecting their machines from malware.

Sending junk

The BBC found that in 2013 there were more than 20 incidents involving UK bank networks indicative of malicious activity. Similar, though lower, numbers were seen in 2012 and 2011. Some incidents involved addresses that have been sending junk for months but others were addresses seen sending spam for the first time.

Botnet basics

For its research project the BBC compiled a list of the internet address blocks used by a dozen of the UK's largest and best known financial institutions.

Everything connected to the net needs one of these addresses, an IP address, to ensure data reaches its destination.

Junk mail or spam is typically routed through a botnet because this helps spammers conceal its true origins and means it is delivered free.

Tracing the source IP address of spam can be a guide to which machines have been compromised.

The BBC asked those running spam databases to see if any bank IP address featured in that corpus of information.

Further analysis revealed that some of the junk was benign in that it was the banks' own marketing messages arriving at email addresses set up to capture spam. In most of the other cases the spam was distributing malware, involved in phishing or "pump and dump" scams or sought to trick people into visiting dangerous sites.

A separate dataset for 2012/13 shows fewer incidents year-on-year but revealed that seven corporate bank networks are regularly sending out junk, five are home to machines that are part of the well known Conficker botnet and eight are regular sources of malicious activity.

In addition, sources inside UK banks told the BBC that they deal with up to a dozen incidents a month of employees' machines getting infected with malware.

James Lyne, global head of security research at security firm Sophos, said evidence of a botnet on a bank network would be "exceptionally concerning".

"It would give attackers a foothold that they can exploit," he said.

The BBC was aided in its research project by an organisation that runs a huge collection of "spam traps" that log the sources of junk mail and also by researchers at Delft University of Technology, in the Netherlands, who study botnets. Anti-spam firm Cloudmark provided corroboration of some of the BBC's findings.

Most junk mail is routed through a botnet in a bid to avoid net filters

"There should be no spam coming out of these networks," said Prof Michel van Eeten from Delft who leads the team gathering data on botnets, adding that some of the bank networks studied had a "relatively consistent" problem with infections.

He was also worried about the continuing presence of machines that were part of the Conficker botnet because the exploit used to create that network has been known about and fixable for five years.

"If they are vulnerable to that you have to wonder what else they are vulnerable to," said Prof van Eeten. "This might show they can fall victim to a targeted attack more easily because those are much harder to avoid falling into."

One example of the types of targeted attack finance firms have to deal with is malware that only springs to life when it spots that it has infected a machine sitting on a bank network.

"It's a constant battle," said Matt Allen, director of financial crime at the British Bankers' Association, adding that the UK's banks had some of the strongest systems and controls in the world to defend themselves against cybercriminals.

Complexity is the enemy of securityJames Lyne, Sophos

"The criminal use of cyber-techniques is an integral part of financial crime offending," he said.

Banks' defence mechanisms operated both within and between individual institutions, he said, and involved them pooling information about recent attacks, tactics and methods.

"The challenge in this area is that as banks develop their controls in line with new criminal methodologies, new techniques will emerge," he said.

Most of the UK banks and building societies contacted by the BBC about its findings declined to comment. Most said they never talked publicly on security matters to avoid the accidental release of operational details.

Those that did respond said the net addresses appearing to send out spam were on corporate networks isolated from the systems that handled customer data and online banking transactions.

Bank check

Statistics gathered by security firm OpenDNS suggest that up to 900 botnets are active in late 2013. These crime networks typically involve many tens of thousands of machines. The biggest count millions of PCs as victims.

Experts are concerned that hackers could exploit the botnet breaches to cause damage

Botnets have become the standard tool of the cybercrime underground, said Mr Lyne from Sophos.

"Botnets used to do something very specific and were just associated with spam," said Mr Lyne. "Now what we are seeing is that from these botnets attackers will jump in and look for other opportunities."

Now compromised machines sitting on botnets tended to be more actively managed, he said. Some botnet owners would probably analyse addresses that machines report in from seeking out high value targets such as banks and government departments.

Often access to compromised PCs sitting on business networks are sold off on underground marketplaces to thieves who specialise in using those machines as a way to delve deeper into a corporate's computer systems.

Mr Lyne added that it was not surprising that banks were regularly having to find and flush out infected machines as they typically ran systems serving tens of thousands of users and a similar number of computers. Defending all those people and PCs against the 250,000 novel malware variants produced every day was a herculean task, he said.

"Complexity is the enemy of security," he said.

Despite finding that UK bank networks were regularly sending out spam, Prof van Eeten from Delft said the data showed that banks were doing a good job of defending themselves.

"Retail ISPs have infection rates that are several orders of magnitude higher," he said. "This is peanuts compared to that."

The BBC would like to thank Michel van Eeten, Hadi Asghari, Qasim Lone and Payam Poursaied from the Delft University of Technology for their help with this research project,